Please briefly describe:
1) What systems are currently secured by CG Protect?
2) Any new systems you want to secure with Intapp Walls? (we typically recommend adding new systems in a Phase 2)
3) Are notifications sent from CG Protect?
4) Do you monitor DMS activity with CG Protect? (replaced with Activity Tracker)
5) Do you manage External Users with CG Protect? Called "Limited Access" in CG Protect and Contractor Walls in Intapp Walls. Users who should not have access to public documents in the DMS, only those clients/matters to which they are explicitly granted access.
6) Matter Team Manager - Do you want to allow delegating team adds/removes to partners (or any other users you chose)
7) Do you manage groups in CG Protect?

Key differences between Intapp Walls and CompliGuard Protect

Intapp Walls does not use SQL triggers. Instead the "Incremental Repair" process checkes the DMS activity history table every minute to detect changes that need to be repaired

Intapp Walls does not allow maintaining groups in the application. Groups must be synced from a source like Active Directory or iManage

By default, DMS Self-Maintaining in Intapp Walls adds only users who authored documents for a given matter rather than anyone who accessed it. However, we have a script to make activity based self-maintaining through the Generic DMS Self-Maintaining feature if requested.

Intapp Walls creates an iManage security group per client or matter secured. CG Protect allows putting multiple groups on a wall which are added as seperate groups in the DMS. Intapp Walls will consolidate into a single security group per client/matter secured.

Intapp Walls allows overlapping walls. The Policy Conflict Resolution model determines the effective security when there are overlapping walls. For example, if there is a client level inclusionary wall and a matter level exclusionary wall, the documents will be private to all users granted access at the client level except the excluded user.

Intapp Walls Software Licence

Auditing

DMS Security

Confidentiality

Advanced Security

(show all modules and extensions)

Remote Access

Remote Access to Intapp Walls servers through Citrix or similar (direct access discount)

Activity Tracker can typically monitor custom systems as long as activity logs are available that can be linked to specific clients/matters and imported into the Activity Tracker Intermediate Database.

Dynamic Groups Auto-populate and maintain groups based on metadata such as practice group, office, jurisdiction or any other segment we can extract from the firm’s data. Typically used with Foundational Walls which is recommended for walls over 100 matters to ensure reasonable performance.

Lawyer Portal (SharePoint or IIS Web Parts) The Lawyer Portal integrates with Microsoft SharePoint to give lawyers visibility of the policies that affect them. It also allows users to identify screens through a simple search. There are 4 out-of-the-box web parts provided by Intapp:

MyWalls Lawyers see only the walls they are on. Can acknowledge outstanding requests from notifications

Intapp Walls does not support securing multiple regions simultaneously yet. If the firm has multiple regions, Inflection IT has built a workaround which requires implementing 2 Intapp Walls instances.

Implement 2 Intapp Walls instances

Multiple NetDocuments Regions?

Intapp Walls does not support securing multiple regions simultaneously yet. If the firm has multiple regions, Inflection IT has built a workaround which requires implementing 2 Intapp Walls instances.

Only a single NetDocuments region needs to be secured

Implement 2 Intapp Walls instances

Let's discuss

NetDocuments Extension Limitations

Non-sequential Execution of API Methods – NetDocuments API methods run asynchronously, and the execution order of these methods are not ensured. This means that if operations are performed quickly in Intapp Walls, the resulting security changes being performed via the NetDocuments API may run in the wrong order. The full repair process will later correct any problems or the wrong security that might occur. However, it still might be preferable to make sure that the security operations related to one Intapp Walls operation are complete prior to beginning the next operation.

Client/Matter Lookup – NetDocuments API does not support the exact lookup of a client or matter. Rather, the API only supports retrieving a client or matter that starts with a given ID value. To address this, Intapp Walls filters the results returned from the lookup to find a client or matter that is an exact match. However, the API method can only return a maximum of 500 results. This means that security may not be applied for clients and matters with IDs located at the beginning of over 500 other client or matter IDs. For example, if Intapp Walls applies security for client "1" and there are over 500 other clients also starting with "1" (e.g., "1000", "1001", ... "1999"), then security may not be applied for client "1" in NetDocuments. Note: For matters, this problem only occurs for matters with the same client.

MassACL Call – Intapp Walls uses a mass call to adjust permissions for content matching a search criteria (client and matter). NetDocuments has a limitation that this MassACL adjusts no more than 10,000 items. To minimize the impact of this limitation Intapp Walls performs these security changes at the matter level. However, should a single secured matter contain more than 10,000 items there is no guarantee which items will have the ACL adjusted. NetDocuments has removed this limitation to allow this call to be unlimited in the 16.3 (September 2016) release. Please consult latest NetDocuments REST API documentation for current documented limitations and method details.

Group Cache – In order to improve performance of the NetDocuments security actions, the Intapp Walls application creates a group cache of the security groups and GUID values. This cache is named for the repository and is stored at: C:\Users\\AppData\Roaming\Intapp . The NetDocuments API call used to retrieve all groups within a Repository has an undocumented limitation of 10,000 with the NetDocuments 16.3 release. Customers on versions of Intapp Walls prior to 6.2.6 with >10,000 total groups in the repository should be aware of this limitation. The 6.2.6 release of Walls introduced a temporary workaround for this behavior to prevent security change issues for groups not returned within 10,000. This workaround has the potential to leave unused, obsolete security groups within the repository, should the customer environment exceed this group limitation. As of 6.3, the group retrieval has been paginated to eliminate this limitation.

Unknown Group – When groups are deleted from a repository but still exist on an individual ACL for a document, this can lead to an unknown group displaying on an object. These typically are internally resolved by NetDocuments within 30 minutes, but may require NetDocuments support involvement. During execution of the incremental repair, presence of this Unknown groups will cause ACL modifications for exclusionary and contractor type policies to fail. Intapp Walls has introduced a warning to denote these cases.

Security Processing Delays – Certain REST calls are processed according to a queue within NetDocuments. Based on performance testing tracing call completion, large policy (3000 clients with 2000 users) enable and disable actions have been observed to take an excess of 48 hours.

Network Optimizer-caused Issues – Presence of network optimization software, such as Riverbed Steelhead, can cause issues for on-premise software communicating with NetDocuments servers. This can be manifested as random errors returned by the REST API. The network optimization software needs to be either disabled in such cases or configured to bypass the endpoints involved in this interaction.

Hosted Worksite Extension Limitations

The following limitations apply to the Hosted extension, as compared with the on-premise version:

Interwoven::ContractorGroupsOnPrivateObjects does not work; both private and public documents are secured, regardless of the option’s value.

Client-only profiled documents (i.e., no matter on profile) will not get their security updated by Walls.

Documents in a workspace profiled to a different matter than the workspace itself will get the workspace security.

Intapp Time - Time Core Extension Limitation

The Time Core (DTE Axiom) client has limitations on the total number of rows within the Validation table with performance on start up. These performance impacts can occur with as few rows as 2 million. Please ensure this limitation is discussed and policies are optimized to minimize security rows.

Limitation - CMS Conflicts Model Exception

There may be performance issues if there are a lot of instances of overlapping client level and matter level inclusionary walls. The workaround is limited to affected clients have no more than 5000 matters.

Decisiv Extension Limitations

Inclusionary Security – The Decisiv extension does not support exclusionary security. Any users that are denied access to a client or matter (via an exclusionary wall) will not be explicitly excluded from client/matter information on the Decisiv server. However, any overriding exclusionary walls (e.g., Client Inclusion + Matter Exclusion) will prevent users from obtaining explicit access to client/matter information on the Decisiv server.

Domain Issues – Decisiv Server and Decisiv client software works within a single domain. While the Decisiv extension currently functions in a cross-domain environment, this may not always be possible or practical. To prevent future issues, it is recommended that the Decisiv Extension be installed on the same domain as the Decisiv Server.

Performance – The Decisiv extension secures client/matter projects through use of the highly inefficient Decisiv XML API. Depending on server performance and the amount of security information, it is possible that the security of each client or matter project can take many seconds. Certain operations, such as Self Maintaining or enabling multiple walls simultaneously, may take much longer than in other extensions.

Project References – Decisiv uses an identifier (called “reference ID”) to attach a unique value to every object within the Decisiv taxonomy. The Decisiv extension uses this value to secure the appropriate client/matter objects. As a result, it is imperative that any client IDs within Intapp Walls match reference IDs of client projects within Decisiv (e.g., 10005). In a similar fashion, all matter IDs within Intapp Walls must match the properly formatted reference IDs (including the client/matter separator character) of matter projects within Decisiv (e.g., 10005-0001). As such, the creation of new client/matter projects should only be performed by someone who is familiar with Intapp Walls and understands this requirement. Additionally, the Decisiv extension requires that the client/matter separator character (see ClientMatterSeparatorChar in the Intapp Walls Administration Guide) contains a valid delimiting character.

Client Folder Security – Since folder-level security is not supported in Decisiv, it is not possible for the Decisiv extension to secure folders directly; only projects may be secured. If the client IDs within Intapp Walls correspond to Decisiv folders, then it is not possible for the Decisiv extension to secure client information. To address this limitation, the Decisiv::OnlySecureMatters configuration flag has been created. This flag specifies whether the extension service should only secure matters in the Decisiv extension. This should only be enabled if clients are represented with a folder (instead of a project) in the Decisiv taxonomy. All matter projects will continue to be secured, regardless of this flag’s value. See the Intapp Walls Administration Guide for additional information. To avoid this limitation, it is recommended that client information within Decisiv be organized using projects instead of folders, where possible.

Intapp Walls Generic Extension - Use Case

Please describe your use case for the Generic Extension.

If securing a custom system, please describe the security model of the custom system to be secured.
1) How is content tagged to a client or matter?
2) How would an administrator apply security manually if a matter needed to be made private to only a group of users?
3) How would an administrator apply security manually if a single user needed to be denied access to a matter?
4) Will Inflection IT write this integration or will your firm develop it after being trained on how to integrate with the Generic Extension?

File Shares (secure Windows DFS)

File Share Extension

File Share Extension Details

Secures by creating Active Directory groups. There are known limitations including
1) Active Directory "token bloat" can cause users to be locked out if an individual user in 1000+ groups. Users in too many groups can be configured to be added as an individual instead, but this has a negative performance impact
2) A single folder can not have more than 1800 users.
Performance Note: Large firms with many walls have experienced full repair run times of up to 3 weeks.